There seems to have been no rest for Microsoft over the 2012 holidays as it issued a quick fix for a zero-day IE vulnerability that attackers were actively exploiting via drive-by download attacks. It may have felt like a flashback for the company as it also rushed to issue an emergency out-of-band update to deal with vulnerabilities in late December 2011.

After security vendor FireEye reported on the zero-day, Microsoft confirmed the vulnerability to Brain Krebs. Chinese hackers were suspected of planting malware for cyber-espionage on the Council on Foreign Relations (CFR) server and pushing out the drive-by attack via the vulnerability in IE, reported the Washington Free Beacon. Drive-by downloads are especially dangerous as victims can have their computer hijacked just by visiting an infected website. The "attackers limited their targeting to CFR members and website visitors who used browsers configured for Chinese language characters - an indication the attackers were looking for people and intelligence related to China." The FBI is reportedly investigating.

Symantec called this a "watering hole" attack in which victims were first profiled to determine what websites they visit; the chosen site is injected with malware and, like lions waiting at a watering hole, attackers wait for the visitors to be infected at the compromised site. The attackers used malware dubbed Bifrose as a "backdoor" to steal files from infected computers.

Security researcher Nikhil Kulkarni provided a proof-of-concept that demonstrated the clickjacking vulnerability to EHacking News. The So.cl page appears to load in the background while the "click below to win your prize money" is on a "top layer." If a user clicked the button, it would post a message on the victim's wall.

Kulkarni told Softpedia that So.cl users could easily be victims and be fooled into clicking on links they "may find interesting such as free gifts or 'click to win million dollar' reward scams. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page; therefore, the attackers can trick the victims into performing actions which the victim never wanted to perform."

Although Kulkarni notified Microsoft of this flaw in August, Microsoft said the clickjacking attack "was not a security issue." The company stuck with the "not a security issue" answer despite the 4-5 proof-of-concepts the researcher sent to them. "They have only recently realized that this really was a flaw that should be addressed."